← field notes

The Fraud That Turns Text Messages Into a Money Pipe

imagine a vending machine that charges the office every time its button is pressed, whether anyone takes the drink or not. now imagine that part of each payment flows to the company maintaining the hallway, and someone connected to that company hires a machine to press the button all night. nothing useful is consumed. the bill is still real.

that is the basic shape of SMS pumping fraud. a signup page offers to send a verification code, an automated system asks for thousands of them, and a business pays for messages that no genuine customer wanted. the code is not stolen or read. its only job is to travel far enough through the telephone network for someone along the route to collect a slice of the charge.

the small charge behind the button

an OTP text feels free to the person receiving it, but it is not free to the company sending it. each message is application-to-person traffic, usually shortened to A2P: software sending a text to a human phone. the application pays a messaging provider, which buys access through aggregators and carriers until the message reaches the destination network.

every participant may charge for its part of that journey. one message can cost only a few cents, but the price changes sharply by country, carrier, and route. at normal signup volume, those cents are a routine cost of doing business. at automated volume, they become a meter running in an empty room.

this is why the send-code button is financially unusual. it lets an anonymous visitor cause a company to purchase something from a third party before proving that the visitor is real. the company sees customer acquisition. the telephone chain sees a billable event.

how a text becomes a money pipe

the fraud begins where those incentives meet. a party with access to phone numbers on a costly destination, and some financial interest in traffic reaching that destination, arranges for automated requests to trigger verification messages. the application orders the texts. the messaging chain carries them. the company receives the invoice.

some arrangements involve premium-priced number ranges or explicit revenue sharing. others depend on a dishonest or compromised carrier, reseller, or traffic partner receiving more money when more messages cross its route. the exact accounting can be murky, especially across borders, but the economic engine is simple: manufacture traffic, make someone else buy it, then keep part of the delivery revenue.

the bot does not need to create useful accounts or read the code. it only needs a public workflow willing to send a paid message in response to an untrusted request. interception wants the secret inside the text. pumping wants the invoice created by it.

the chain hides the beneficiary

an international message rarely moves through one clean relationship. the application may buy from a communications platform, which buys from aggregators before reaching a mobile network. commercial agreements and local rules shape the path.

that distance gives the scheme cover. the business sees a destination number and a delivery charge, not necessarily the party benefiting at the far end. the sender’s provider may see a sudden wave of technically valid requests. the terminating network sees messages addressed to numbers it serves. each link can claim it merely handled traffic supplied by someone else.

not every expensive route is corrupt, and not every burst toward a small country is fraud. product launches, migrations, emergencies, and real user growth can produce strange traffic. defenders therefore cannot treat geography or price alone as proof. the chain is difficult precisely because legitimate delivery and artificial delivery use the same pipes and create the same basic billing records.

why the phone owner is usually not the victim

ordinary SMS scams target the person holding the phone. they want a click, a password, or a reply. pumping usually reverses that picture. the person attached to the destination number may see a pile of meaningless codes, may control a block of numbers, or may not be meaningfully involved at all. the direct financial victim is the business whose application ordered the messages.

the charge lands on the enterprise account because A2P messaging normally follows a sender-pays model. the receiving phone is not buying each OTP. this can make the fraud look harmless from the consumer side while a company accumulates a severe communications bill in the background.

real customers can face delayed codes when queues fill or defensive blocks become blunt. but the first clean transfer is from the company paying to send a code nobody intends to use toward the chain paid to deliver it.

volume turns pennies into losses

the arithmetic is what made the scheme famous. a single useless text is noise. a machine generating requests around the clock can turn that noise into millions of chargeable events, and expensive international routes magnify every one.

Twitter became the most visible example when Elon Musk said the company was losing about $60 million a year to fraudulent two-factor authentication texts. that number was a public claim, not a transparent audit, so it should not be treated as a settled measurement. the useful point is the order of magnitude: a global platform can spend tens of millions when tiny message charges are multiplied by industrial traffic.

smaller companies feel the same mechanism with less room to absorb it. because invoices may arrive after the traffic has passed, the first alert can be financial rather than technical. by then, every delivery has done what the fraudulent economics required.

the conversion rate tells the truth

the most revealing signal is not raw message count. it is what happens after delivery. legitimate verification traffic continues into completed signups, successful logins, password resets, or other expected actions. pumped traffic produces a mountain of sent codes and almost no verified users.

defenders therefore watch conversion by country, carrier, number range, and messaging route. a route that suddenly carries ten times more OTP traffic while completed verifications collapse is not healthy growth. it is cost without product activity, the digital equivalent of a turnstile spinning while the room beyond it stays empty.

measurement must be narrow enough to expose the pocket of abuse. a worldwide average can look normal while one prefix burns money. request volume, verification success, and route price together give a fuller picture than any signal alone.

putting brakes on the meter

the first defense is rate limiting, but useful limits exist at several layers. a destination number should not receive endless codes. neither should a number range, country prefix, account session, device, or network source be able to cause unlimited paid sends. overlapping limits matter because artificial traffic can be spread across many individual numbers to keep each one below a simple threshold.

country controls are another brake. a service with no customers in a region has little reason to accept an overnight surge of verification requests there, especially when the route is unusually expensive. blocking or requiring extra review for suspicious prefixes can stop the bill quickly.

the trade-off is real. country codes do not perfectly describe where a person is, travelers exist, and legitimate markets can appear before a company’s models expect them. broad blocks can exclude genuine users. the honest defense is not to assume every costly destination is criminal, but to make the amount of trust and spending match the evidence of real demand.

pricing is also a security signal

many fraud systems were built to ask whether a request looks automated. SMS pumping requires another question: how much could this request cost if it is wrong? ten suspicious sends toward a cheap domestic route and ten toward a premium international route do not carry the same exposure.

good controls connect product telemetry to billing telemetry. they track spend velocity, price per delivered message, delivery patterns, and conversion for each route. budgets and alerts can then close a route before the monthly invoice explains what happened. a security team that watches requests without watching unit economics sees only half the attack.

providers have a broader view than any single customer. an aggregator can notice the same number ranges drawing artificial traffic from many applications. that can identify risky destinations earlier, but it creates an uncomfortable dependency: the business may rely on a vendor to police a chain from which several parties earn money.

removing the paid event

the strongest answer is sometimes to stop sending the text. modern phones and mobile networks can verify certain signals silently, using a trusted device session, an authenticated application, or a carrier-backed check without placing an OTP in an inbox. passkeys and other device-bound methods can also move routine authentication away from SMS.

this changes the economics because an anonymous button press no longer guarantees a billable message. risk can be assessed first, and SMS can remain as a fallback for cases that truly need it. fewer automatic texts mean fewer coins entering the pipe.

silent verification is not magic. carrier support varies, privacy questions remain, and any fallback can become the new target. removing SMS entirely can lock out people with older devices or limited connectivity. the practical direction is gradual: reserve paid messages for flows with enough trust.

the honest shape of the fraud

SMS pumping is easy to misunderstand because the visible artifact is an ordinary security code. nobody has to crack it. nobody has to use it. the fraud lives one layer below, in the agreement that pays for moving it.

that is also why no single CAPTCHA, prefix block, or rate limit settles the problem. automated requests change shape, legitimate users share networks, and corrupt incentives can sit several contracts away from the sender. defenses work by shrinking the paid surface: limiting destinations, watching conversion route by route, treating price as risk, challenging suspicious demand, and replacing the message where the device can prove enough without it.

the machinery was built on a reasonable promise: when an application sends a text, the network gets paid for carrying it. pumping turns that promise inside out. it creates the journey only because the journey is paid, leaving companies to fund millions of codes that arrive, expire, and disappear unread. the message is empty. the money moving behind it is the entire point.

watch
The Hidden Internet on YouTube

Every field note starts as a short documentary. Watch the systems in this piece explained on screen.

subscribe →
read on
More field notes

The rest of the series on how the modern internet detects, tracks, and sorts the traffic that reaches it.

browse the archive →